Interesting question, I have the same problem, I hope you can find a solution.
Angelo On 20/02/2019, 11:39, "Giovanni Conte" <[email protected]> wrote: Hi, I would like to do the timestamps difference of packet captures (pcap). The problem is that, when i do: drill:zk=local> SELECT `timestamp` FROM dfs.root.`/capture_file.pcap`; i get (showing the first 2 rows) | 2019-01-30 05:00:00.207 | | 2019-01-30 05:00:00.207 | We can see milliseconds accuracy. On wireshark, the timestamps are: 2019-01-30 05:00:00.207*239* 2019-01-30 05:00:00.207*243* and so microseconds accuracy. I tried so to change the timestamp format from "default" to "yyyy-MM-dd HH:mm:ss.SSSSSS" with the commad: jdbc:drill:zk=local> !set timestampformat "yyyy-MM-dd HH:mm:ss.SSSSSS" Now, when I query I get: | 2019-01-23 05:00:00.000207 | | 2019-01-23 05:00:00.000207 | and instead of taking the *second triple*, i.e. the microseconds *239* and *243*, it is shifting the milliseconds at the microsecons position. Thus, the simple question is: how can I get microsecond (or more) accurancy within a pcap query? Thank you very much, Giovanni
